Pretty easy one: alert udp any 4000 -> any any (msg:"ISS RealSecure or BlackICE Witty Infection Attempt"; content:"|20 20 20 20 20 20|insert.witty.message.here"; depth:146; classtype:trojan-activity; reference:url,http://xforce.iss.net/xforce/alerts/id/166; sid:1111001; rev:1;)
Mostly useful for the Trons crowd (drop disallowed Trons fields accordingly). -- Tod Beardsley www.planb-security.net _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
